Sophos: Microsoft Doesn't Need to Open Up PatchGuard

In an interview with BetaNews on Friday afternoon, Sophos senior security analyst Ron O'Brien suggested that, even though his company plans to participate with Microsoft's program to build a security services API for Windows Vista SP1 -- and perhaps because of that fact -- Microsoft does not need to create a bypass mechanism for its upcoming PatchGuard kernel lockdown service, as other vendors have recently insisted.

"Two of our largest competitors, McAfee and Symantec - which clearly have anti-virus products that compare to Sophos - have publicly complained that being locked out of the Vista kernel somehow prevents them from being able to innovate," O'Brien noted.

"I would say that the opposite is really true: that by not focusing on having Microsoft provide us with the means to access the kernel, and in fact using the APIs that have [already] been provided by Microsoft, we are not experiencing any problems with PatchGuard for our latest HIPS technology, Sophos Anti-Virus, or any of the other aspects of our security offering for either 32-bit or 64-bit versions of Windows Vista."

By HIPS, O'Brien is referring to Sophos' current Host Intrusion Prevention System, a version of which is being planned for the initial release of Vista. The system uses heuristics to examine the behavior of software that may not have been identified as viruses by way of signature, to determine whether it is likely to negatively impact the system.

Lots of vendors use specialized trademarks to identify their heuristics, and Sophos' is no less fancy: Behavioral Genotype Protection. Sophos describes this feature as being able to identify malware at the gateway even without a signature, and delete it before it executes.

Despite the lofty terminology, this is not a new concept, and as McAfee chief scientist George Heron put forth in a recent ZDNet blog post entitled "Why Microsoft is Wrong on Vista Security," it's a feature of most modern enterprise-level anti-virus packages now.

But as Heron argued, for vendors to be able to continue to provide this functionality, they would need to have the ability to "hook the APIs" - meaning, to detect whether certain function calls to the operating system are being made, as potentially malicious code is being executed. By Microsoft disabling this kind of hooking, Heron wrote, vendors can no longer continue to provide security the way they have before.

Sophos' Ron O'Brien contends, however, that this is not a problem, at least from his company's perspective. "I would say that other vendors may not have coded their solutions with 64-bit Vista in mind," he told BetaNews, "but because we've taken a slightly different approach to HIPS, focusing more on identifying bad behavior by analyzing code before it executes, we have been able to make do with the interfaces that have been provided by Microsoft, rather than trying to subvert the kernel. That's why we're ready for 64-bit Vista, and other companies are not."

As O'Brien explained, his company's "behavioral genotyping" -- while it might sound like the worst techno-babble from straight out of Star Trek -- does not need to hook into the API calls. Instead, it evaluates code before it is executed, and if the code "matches the genotype," then it never gets executed. His comments are consistent with those he made last month to BetaNews, when Symantec first raised objections before the European Commission about Microsoft's planned deployment of PatchGuard.

The fact of PatchGuard's existence is nothing new, so it may be a little too late for supporting vendors to be complaining about it, O'Brien contends. "I think that Symantec and McAfee have been struggling with [execution prevention], because they haven't coded their solution with Vista in mind, and because Sophos has taken a different approach...We're building our technology using supported Microsoft interfaces, rather than by trying to subvert them."

Assuming everything is indeed as rosy as O'Brien makes it out to be, why then would Sophos want or need to contribute to a security services API for Vista, especially since it would apparently help Sophos' rivals more than it would help Sophos? O'Brien's answer was both smooth and to the point: Essentially, Microsoft is developing the API that all security vendors who support Vista will eventually require, so it's in everyone's best interests -- including Sophos' -- to get on board.

"Obviously, I don't spend a lot of time thinking about the effectiveness of my competitors' ability to provide service," O'Brien remarked. "But clearly, from this point forward, Sophos and other vendors will have a dependency on Microsoft to deliver these kernel interfaces for new security interfaces. However, we're ready to go with a Sophos Anti-Virus version of our product that is compatible with Vista, and I don't believe that other security companies can make the same claim.

"It is somewhat counter-intuitive for me to be critical of a competitor," he continued. "However, in this particular instance, I would encourage enterprise-level customers to ask whether or not their security vendor is prepared to offer a security solution that is compatible with Windows Vista 64-bit. And if the answer is no, then I, as a customer, would ask why. And if the reason is because, 'We haven't worked with Microsoft in order to achieve that goal,' then my next question would be, 'Why not?"'